rsync-3.1.3-14.el8.3

エラータID: AXSA:2022-3734:04

Release date: 
Thursday, August 25, 2022 - 01:09
Subject: 
rsync-3.1.3-14.el8.3
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

The rsync utility enables the users to copy and synchronize files locally or across a network. Synchronization with rsync is fast because rsync only sends the differences in files over the network instead of sending whole files. The rsync utility is also used as a mirroring tool.

Security Fix(es):

* rsync: remote arbitrary files write inside the directories of connecting peers (CVE-2022-29154)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2022-29154
An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file).

Solution: 

Update packages.

CVEs: 
CVE-2022-29154
An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file).
Additional Info: 

N/A

Download: 

SRPMS
  1. rsync-3.1.3-14.el8.3.src.rpm
    MD5: eb058511daa4c1c8a01c9d410475b3c4
    SHA-256: 4b465ff5630d2b68a7d21eb0b17c002e172bfc1432f70d58b2e6003cd4067f7c
    Size: 1.09 MB

Asianux Server 8 for x86_64
  1. rsync-3.1.3-14.el8.3.x86_64.rpm
    MD5: 9f9c4d24365f78f9d451ad4efcee4a01
    SHA-256: d49c9a6fec0eb94dc5e981e5ac1d830a373e91d218dc2cb130e8f6fb83af4150
    Size: 408.32 kB
  2. rsync-daemon-3.1.3-14.el8.3.noarch.rpm
    MD5: 69ea76179ad58e80b2e67488f576ccce
    SHA-256: ffa7b11e101c42224f8dbad22343d5fdfd5f0e1d99ca0f9839c80102c14a3339
    Size: 42.81 kB